[Owasp-leaders] Suggestion of better brand guidelines

johanna curiel curiel johanna.curiel at owasp.org
Mon Jun 20 17:19:02 UTC 2016


Hi Tiffany

Are there any specific activities towards defining clear policies using the
OWASP logo?



On Mon, Jun 20, 2016 at 1:08 PM, Tiffany Long <tiffany.long at owasp.org>
wrote:

> Hello Larry!
>
> I totally understand your concerns.  OWASP is an open source community
> dedicated to the results of our projects and outreach.  Anything that takes
> away from this would not be serving the community.  That is why I propose
> that we update our guidelines and simply make sure that our codified
> process for protecting our brand represents our needs and protects the hard
> work of our volunteers.  With this in place the work of defending our brand
> will be less time consuming as we will have legal protections and a process
> that will reach for the law after several other steps have been taken.
> Right now we don't actually have trademark protection and our marks can be
> used unscrupulously until we do.
>
>  Furthermore, as you have seen from the co-branding work done by Kelly
> Santalucia having our brand out there and recognized helps evangelize our
> message as well as bring new volunteers into our fold. Over all this
> process will help lead to further engagement and mitigate the risk of our
> volunteers work being used improperly or diluted by less quality products
> branded improperly.
>
> As to your enumerated questions:
>
> 1) No, absolutely not.  Branding helps us bring visibility to projects and
> should a corporation use the marks inappropriately it helps us protect
> them. The trademark does not interfere with licensing.  Think of it as
> allowing us to protect our art and names. The actual product is not
> affected except to allow us to ensure that the name is not used
> incorrectly.
>
> 2) I do not yet know the budget that will be allotted, but the cost will
> depend on what we choose to TM, and where we choose to do it.  For the
> first steps we will only require the cost of fees to apply for a TM and
> time from me, a paid employee.  We do not need a lawyer for the concrete
> steps I suggested. Volunteer input in the process will also be necessary to
> make sure we accurately reflect the needs of the community.  We will do our
> best to strike a balance to make the effort as productive and efficient as
> possible.
>
> -Tiffany
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Jun 20, 2016 at 6:58 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Larry, Dirk
>>
>> I offered my support for this part to define clear policies with no cost
>> at all. I have access to legal support and can help provide this.
>>
>> The steps took by the Stephany are the right ones toward protection of
>> the brand but it is necessary to define better policies and process towards
>> protection of brand abuse.
>>
>> In the end is about misrepresentation. Do we want vendor's to use OWASP
>> logo in a way that should indicate endorsement?
>>  I don't think so especially when we proc;aim, being vendor neutral and
>> using the OWASP logo in commercial vendor activities to promote business or
>> commercial activities should be clearly stipulated to avoid this:
>> http://www.acunetix.com/blog/articles/owasp-top-10-2010/
>> e <https://pbs.twimg.com/media/CVO0vmSW4AAgZ6M.png:large>specially this:
>> https://pbs.twimg.com/media/CVO0vmSW4AAgZ6M.png:large
>>
>> and a page that cannot be found after Dirk mention the abuse on twitter:
>> https://twitter.com/drwetter/status/733744181340962816
>>
>> While I agree with many things you mentioned regarding lack of
>> engagement, I think at this point of time OWASP has a brand to protect and
>> should not really worry about lack of engagement and should establish clear
>> policies regarding this.
>>
>> Protecting a brand when there has been clear abuse cases is not a waste
>> of time, on the contrary, if we allow abuse, our vendor neutrality claims
>> will go down the drain and loose credebility
>>
>>
>> On Mon, Jun 20, 2016 at 8:48 AM, Larry Conklin <larry.conklin at owasp.org>
>>> wrote:
>>>
>>>> Is this really an issue that we need to drive time, and money towards?
>>>> We have some much publicized cases in the past of abuse of OWASP name and
>>>> branding being used by a commercial security vendors. This is not what we
>>>> want as a community when we put volunteer hours into something and then
>>>> have a commercial enterprise try to make money for themselves. I appreciate
>>>> and support not wanting this type of abuse.
>>>>
>>>> My fear is that we are over reacting to brand abuse with a knee jerk
>>>> reaction. Yes, we have had complaints. The community and board so far has
>>>> been able to resolve these. Now we want more polices, attorneys
>>>> involvement, additional overhead and expenses? What will that really give
>>>> us? Our focus should always be on Application Security and being an open
>>>> organization.
>>>>
>>>> *Don’t fear lack of control. Fear lack of engagement. Lack of
>>>> engagement is our greatest weakness. Money and time should go towards
>>>> projects not more polices, legal fees, etc.*
>>>> If we are not careful we might back ourselves into a corner. The end
>>>> result could be a less open organization, more polices, with less money
>>>> going towards projects.  In the past been able to resolve branding
>>>> abuse with community and board working together.
>>>>
>>>> Open questions to community manager and board.
>>>>
>>>>    1. Does branding, logo's, trademarks registered to OWASP take any
>>>>    rights away from project leaders or projects being open source?
>>>>    2. How much money is being budgeted for legal, etc fees for
>>>>    branding, logo's, and trademarks?
>>>>
>>>> Larry Conklin, CISSP
>>>>
>>>> On Mon, Jun 13, 2016 at 1:55 PM, Dirk Wetter <dirk at owasp.org> wrote:
>>>>
>>>>> BTW, I added my suggestion to the discussion/talk section.
>>>>>
>>>>>
>>>>> https://www.owasp.org/index.php?title=Talk%3AMarketing%2FResources&diff=217765&oldid=210932
>>>>>
>>>>> Cheers, Dirk
>>>>>
>>>>> Am 06/06/2016 um 05:33 PM schrieb Dirk Wetter:
>>>>> > Hi Liam and all,
>>>>> >
>>>>> > Am 05/20/2016 um 06:38 PM schrieb Liam Smit:
>>>>> >> Hi Dirk
>>>>> >>
>>>>> >> On Fri, May 20, 2016 at 5:57 PM, Dirk Wetter <dirk at owasp.org
>>>>> <mailto:dirk at owasp.org>> wrote:
>>>>> >>
>>>>> >>
>>>>> >>     Am 05/20/2016 um 05:07 PM schrieb johanna curiel curiel:
>>>>> >>
>>>>> >>
>>>>> >> <snip>
>>>>> >>
>>>>> >>     > Abuses will happen where financial gain is.If putting this
>>>>> logo can help me sell...well you bet the first ones happy will be the
>>>>> vendors.
>>>>> >>     > Contrast did that with OWASP benchmark publicising OWASP logo
>>>>> 'sponsored by' even the DHS logo.
>>>>> >>     > https://twitter.com/jctechno/status/672079500033814528
>>>>> >>
>>>>> >>     Ok, a TM would have helped here maybe.
>>>>> >>
>>>>> >>
>>>>> >>     But in general this is why I think giving away a supporter logo
>>>>> is not good either -- the
>>>>> >>     only point where we have
>>>>> >>     a different stance so far:
>>>>> >>
>>>>> >>     My firm belief is if you give a away a logo you can't control
>>>>> the usage. It's like putting
>>>>> >>     a vulnerable
>>>>> >>     web application in the internet. Somebody will find and
>>>>> hack/abuse it. It also doesn't
>>>>> >>     matter if a law is
>>>>> >>     saying that it shouldn't been hacked [1]. Same with the logo.
>>>>> Giving a logo away is like
>>>>> >>     announcing
>>>>> >>     a vulnerable web app to all bad guys. So a supporter logo could
>>>>> be an invitation to abuse
>>>>> >>     (ideas see my first mail).
>>>>> >>
>>>>> >>     Also I do not understand the point in the first place: Why do
>>>>> we want to give a away a
>>>>> >>     logo? What's
>>>>> >>     our added benefit?
>>>>> >>
>>>>> >>     Thus I find a very strict logo policy accompanied with a proper
>>>>> TM the right thing to do.
>>>>> >>     There's
>>>>> >>     still potential for abuse but at least you did the best
>>>>> reasonably possible..
>>>>> >>
>>>>> >>     Look at ISACA. You can't use the logo without written consent
>>>>> by ISACA.
>>>>> >>
>>>>> >>
>>>>> >> Why don't you put forward a strict logo use policy?
>>>>> >>
>>>>> >> Obviously it might not be adopted if most people prefer a looser
>>>>> logo usage policy but if you
>>>>> >> don't put anything forward then I highly doubt anything will come
>>>>> of you merely stating your
>>>>> >> preference for a strict usage policy.
>>>>> >
>>>>> > fair enough.
>>>>> >
>>>>> > Not so many people responded, so I wanted to limit my investment in
>>>>> terms of time.
>>>>> >
>>>>> > Suggestion:
>>>>> >
>>>>> > --snip
>>>>> >
>>>>> > The OWASP logo (future: is a trademark and) is the property of the
>>>>> OWASP Foundation.
>>>>> >
>>>>> > * OWASP logos must not be used by individuals or organizations to
>>>>> promote commercial products,
>>>>> > services, or events such as conferences, courses.
>>>>> > * OWASP logos must not be used in a manner that suggests that The
>>>>> OWASP Foundation supports,
>>>>> > advocates, endorses, or recommends any particular product, services
>>>>> or technology.
>>>>> > * OWASP logos must not be used in a manner that suggests that a
>>>>> product or technology is
>>>>> > compliant with any OWASP Materials
>>>>> > * OWASP logos must not be used in a manner that suggests that a
>>>>> product or technology can
>>>>> > enable compliance with any OWASP Materials
>>>>> > * OWASP logos may be used by special arrangement with The OWASP
>>>>> Foundation. Requests to use
>>>>> > OWASP logos should be directed in writing to
>>>>> >   <fillinmailaddresshere>. Requests will be evaluated on a
>>>>> case-by-case basis by a compliance team.
>>>>> > * The special arrangement can be withdrawn by OWASP at any point of
>>>>> time.
>>>>> >
>>>>> > --snap
>>>>> >
>>>>> > I was replacing brand by logo. I haven't seen @
>>>>> >
>>>>> https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES
>>>>> > any definition of the term "brand". If that would be clarified we
>>>>> could swap that back.
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > Cheers, Dirk
>>>>> >
>>>>> >
>>>>>
>>>>> --
>>>>> German OWASP Chapter Lead
>>>>> Send me encrypted mails (Key ID 0xB818C039)
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160620/409638ab/attachment-0001.html>


More information about the OWASP-Leaders mailing list